Vulnerability prioritisation can seem like a minefield. If you hand it over to a big third party to handle, you may be left in the dark by their secret algorithms or mass automation. If you try to do it yourself, it either takes you days at a time to get through it all thereby leaving you unable to get any of your other work done, or, by spreading the burden across your team, you then have inconsistent vulnerability assessment and prioritisation to overcome. And this is dangerous.
But how does the inconsistent assessment and prioritisation of vulnerabilities arise? Surely everyone knows what is high risk and critical for their business, right? Wrong. While it tends to be true that no one has a better understanding of a business’ IT risks than its own IT security team, thanks to the immense pressure on this industry, staff turnover is high. This means teams have to rely on inexperienced or temporary staff to help with the workload. When team members experience burnout or sickness and go on leave with no notice, the job still goes on. This means others need to take on their responsibilities and prioritisation is now too crucial a step of vulnerability management to skip.
So how can you overcome this problem?
At RankedRight, we love a set of rules. So much so, in fact, that it’s what our platform is built upon. (We’ll go into our platform in more detail in a bit.)
To manage the inconsistency of knowledge or experience in your team, particularly during busy holiday periods, build a rule book setting out how different types of vulnerabilities would affect your business network and give them a score for how urgently they should be handled, if identified in a scan. Just as the CVSS gives a score for different vulnerabilities, you would create your own score that more accurately reflects your risk appetite.
Note, we are not suggesting at all that you just use CVSS as a consistent way of ranking vulnerabilities. This is not recommended and this article will explain why.
Once you have created your rulebook – which should take some time but it’s a smart investment if done properly – you should present it to the team. The purpose of this is threefold: make them aware of this new team asset; get feedback from them on how well they understand it; test how easily they feel they could use it should the opportunity arise.
You can then edit it based on their feedback, and save it somewhere secure but easily accessible.
As well as setting rules for how different vulnerabilities should be prioritised, you can take the rulebook a step further by also including instructions on who different vulnerabilities should be delegated to. This will help speed up the process of critical remediation and give temporary staff a full picture of the prioritisation program.
If your team is prone to change quite often then an alternative to investing time in your own rulebook would be to assign the prioritisation responsibilities to one person, with another as back up. While this fixes the inconsistency issue, it is highly risky as your prioritisation lead could suddenly leave the business, hindering the ability of your remediation team to remediate in order of criticality.
If the culprits of incorrect prioritisation are most likely to be the newer or temporary team members, then rework your onboarding programme to ensure that more focus is applied to understanding what is needed to rank effectively.
Onboarding ensures your new starters get up to speed in their roles as quickly as possible and will be something your HR department most likely offers every new employee when they join your business. The onboarding program typically covers general topics such as company purpose, who’s who, IT training etc but if you arrange a meeting with HR., you should be able to work on adding a section of training that covers off the company’s IT infrastructure in great detail. They may also be able to work out a schedule whereby information packs sent out before the new joiner’s first day include valuable reading recommendations and upon starting, they have access to online courses to help them even further.
If a lack of knowledge and understanding is the problem, fill the gaps.
We suggested creating a prioritisation rulebook earlier in this article and your reaction may have been that it sounded like too much work. Probably too complicated and too risky? We agree which is why we created a platform where the rulebook is built in.
Using our simple system, you can set rules for how different vulnerabilities should be prioritised and delegated and you’ll have the most up-to-date vulnerability intelligence at your side to help your decision making.
It’s a comprehensive process – we can’t afford for you to miss any areas – but it’s quick and easy to complete. We then take over the prioritisation process based on the rules you’ve set which means that the data from every scan is ranked correctly and in a consistent way. Not only do you overcome the inconsistency problem, but you hand over the task of manual triage too, saving you much needed time.
The inconsistent assessment and prioritisation of vulnerabilities across your team could prove incredibly damaging for your company’s security position. Address this today.